A security researcher discovered a 'cookiejacking' flaw in all IE versions that could allow an attacker to steal your session cookies and then log onto your password-protected sites such as Gmail, Facebook or Twitter.

Regardless of the version of Windows you use, if you also use any versions of Microsoft's Internet Explorer, then you might not want to do any drag-and-dropping within your IE browser, or you might be done in by "cookiejacking." It's not the CookieMonster or Firesheep, but there is a zero-day hole in IE that allows an attacker to steal any session cookies from any website.

At the Hack In A Box conference in Amsterdam, Italian security researcher Rosario Valotta demonstrated a cookiejacking attack. A session cookie holds information like your username and your password. Once those cookies are stolen, it allows an attacker to access wherever the victim is logged in like Gmail, Facebook, Twitter or other online accounts. His code to exploit the flaw explicitly targets cookies issued by Facebook, Twitter and Gmail, but Valotta says his technique can be used on any website. The attacker is only as limited as his imagination.

The vulnerability was found in IE security zone mechanisms which are supposed to keep Internet zones from mixing; it's meant to prevent sites in the "untrusted" Internet zone from embedding content to the "trusted" local zone. Yet Valotta discovered that cookies were exempt from the security mechanism and could be loaded into iFrames. The cookies were marked with invisible text and moved by the HTML5 drag and drop feature to the main browser window. "This breaks the Cross zone interaction policy as a Internet page is accessing a local file," Valotta wrote on tentacoloViola where he explained the entire exploit.

For his hijack cookie exploit to work, however, it requires some social engineering to get the victim to drag and drop an object in the browser. Although that might sound challenging, Valotta, with a proof-of-concept Facebook application, showed that it's not too difficult at all. He said he used an "advanced Clickjacking technique called 'content extraction' and some little JS tricks in order to lure my victim into drag&drop the cookie into an attacker controlled HTML element." He created a puzzle game (video) and shared it with his friends, secretly stealing the victim's Facebook session cookie. "I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server. And I've only got 150 friends," he told Reuters.

Microsoft is not too worried about this zero-day hole in all versions of IE. Microsoft spokesman Jerry Bryant said, "Given the level of required user interaction, this issue is not one we consider high risk. In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."

H Security noted, "The researcher notified the Microsoft Security Response Center of the original hole on 28 January 2011 and Microsoft solved the problem before the final version of IE9 was released on 18 March. However, only two weeks later, Valotta found a slightly modified approach that also allowed him to steal cookies from IE9 users, which he demonstrated (direct download PowerPoint file)" at Hack In the Box security conference.